Data Privacy Law Reality - India's DPDP Act Rules Notified

In a landmark move, the Indian government recently notified the administrative rules under the Digital Personal Data Protection (DPDP) Act, 2023, officially operationalizing the country's federal digital privacy regime. This development, which comes almost 14 years after the concept was first introduced, provides a clear legal framework for handling digital personal data in India.

Key details from the notification include:

Basis	Key Details in brief
Implementation Timeline	A staggered roadmap allows most companies (Data Fiduciaries) and stakeholders up to 18 months to achieve full compliance with the new rules. Consent Managers are granted 12 months for registration.
Stricter Consent	Data Fiduciaries are now mandated to seek specific and informed consent from users (Data Principals) in clear and plain language. This consent must detail the exact personal data to be processed and the specific purpose for its collection. Users retain the right to withdraw consent easily.
Data Breach Protocol	In the event of a data breach, Data Fiduciaries must notify all affected users and the newly established Data Protection Board (DPB) within 72 hours of becoming aware of the violation.
Significant Data Fiduciaries (SDFs)	Large platforms with over 5 million registered users are classified as SDFs and must undertake an annual audit and a Data Protection Impact Assessment (DPIA) to ensure ongoing compliance.
Data Deletion	Specific high-user-volume entities (e.g., e-commerce and social media platforms with over 20 million users) are required to delete personal data of users who remain inactive for three consecutive years, following a 48-hour notice.
Cross-Border Transfer	The rules permit the cross-border transfer of personal data, although it remains subject to specific compliance requirements set by the Central Government, particularly regarding data made available to foreign states or entities.

The rules operationalize the SARAL design philosophy (Simple, Accessible, Rational, and Actionable):

• Consent: Consent notices must be standalone and purpose-specific.
• Data Principal Rights: Individuals (Data Principals) are granted rights to access, correct, update, or erase their personal data, and can nominate someone to exercise these rights. Organizations must respond to these requests within 90 days.

Children's Data Protection

Rule 10 establishes a clear obligation for Data Fiduciaries to obtain verifiable parental consent before processing a child's personal data.

• Accepted methods include digital identity mechanisms like Digital Locker tokens.
• Narrow Exemptions are provided for essential services in healthcare, education, and child safety, but only for data strictly used for the stated purpose.

Privacy and AI Governance

The framework is designed to align data security and lifecycle management with the needs of the growing AI-led economy. Strong data practices, transparency, control, and accountability are viewed as the foundation for successful AI adoption.

India's Privacy Framework Shifts to Execution

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025, marks the pivotal moment where India's digital privacy vision transitions from policy to an enforceable, operational reality.

This comprehensive framework places citizens at the core, establishing their right to explicit, informed consent and providing actionable rights to access, correct, or erase their personal data. For Data Fiduciaries (companies and entities), the rules introduce clear, high-stakes accountability, mandating:

• A significant overhaul of consent mechanisms (must be specific and in plain language).
• A maximum 18-month phased compliance period to make fundamental systemic changes.
• Strict security safeguards and a non-negotiable 72-hour breach notification window to the Data Protection Board (DPB) and affected individuals.

With the DPDP Act and Rules now fully in force, the focus shifts entirely to execution. The coming months will be critical as all sectors of India's digital economy—from Big Tech to startups and government services—must translate these regulatory requirements into concrete, embedded practices to ensure compliance and build customer trust in a more secure and resilient digital ecosystem.

·         Source: Click Here

Disclaimer: Every effort has been made to avoid errors or omissions in this material. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice which shall be taken care of in the next edition. In no event the author shall be liable for any direct, indirect, special or incidental damage resulting from or arising out of or in connection with the use of this information.